GRCWatch
Sign inStart free trial

SOC 2 CC1.1: Demonstrating Commitment to Integrity and Ethical Values

CC1.1 is the foundation of SOC 2 compliance—proving your organization operates with integrity and ethical values at every level. Without documented commitment and visible enforcement, auditors will flag gaps in your control environment. Learn what auditors expect and how to build a compliance culture that sticks.

What this means

CC1.1 requires your entity to establish and demonstrate a genuine commitment to integrity and ethical values across the organization. This means creating a documented code of conduct, clearly communicating ethical expectations to all employees and contractors, and actively reinforcing these values through hiring, training, and accountability mechanisms. The control recognizes that strong governance starts with leadership setting the tone and holding themselves to the same standards they expect from others.

How to comply

  1. 1.Develop and publish a formal code of conduct that defines ethical behavior, acceptable use policies, and consequences for violations
  2. 2.Communicate your integrity and ethical values to all employees, contractors, and third parties during onboarding and annually thereafter
  3. 3.Create a confidential reporting mechanism (hotline, email, or reporting tool) for employees to report suspected ethical violations without fear of retaliation
  4. 4.Establish and enforce disciplinary procedures that apply consistently across the organization, regardless of employee level or tenure
  5. 5.Document leadership's commitment through a signed tone-at-the-top statement demonstrating accountability for ethical culture
  6. 6.Conduct annual ethics training for all personnel and maintain attendance records
  7. 7.Perform periodic risk assessments to identify areas where integrity may be compromised (conflicts of interest, high-turnover positions, access-heavy roles)
  8. 8.Review and update your code of conduct at least annually to reflect organizational changes and emerging risks

Evidence auditors look for

  • Signed, dated code of conduct with version control and approval dates
  • Employee acknowledgment forms confirming receipt and understanding of ethics policies
  • Ethics training completion records with dates and participant names
  • Documented tone-at-the-top letter from leadership reaffirming commitment to integrity
  • Policy documentation for confidential reporting channels and non-retaliation guarantees
  • Investigation records demonstrating consistent application of disciplinary procedures
  • Annual ethics training curriculum covering relevant scenarios and organizational values
  • Risk assessments identifying integrity risks and mitigation strategies
  • Board or audit committee minutes discussing ethical culture and governance oversight

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates ethics training scheduling and acknowledgment tracking, generates annual tone-at-the-top reminders, and centralizes investigation documentation so you can prove consistent enforcement of your code of conduct to auditors.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CC1.2 — Board of Directors OversightCC1.3 — Management Establishes Structures, Reporting Lines, and Appropriate AuthoritiesCC1.4 — Entity Demonstrates Commitment to CompetenceCC1.5 — Entity Holds Individuals Accountable for Their Responsibilities